Malware, Phishing

Don’t get fooled again: Fake coronavirus emails impersonate the WHO to deliver FormBook trojan

Fears over the novel coronavirus have triggered mass quarantines, Purell and Clorox shortages and financial market turmoil. As global concerns continue to mount with the latest headlines – just today, it was reported that the head of the Port Authority of New York and New Jersey was infected – cyber fraudsters and threat actors continue to seize on those fears.

In one of the latest examples, researchers at MalwareHunterTeam reportedly have exposed a phishing scam that pretends to offer coronavirus information from the World Health Organization, but in reality distributes the GuLoader malicious downloader, which in turn installs the FormBook information-stealing trojan.

The emails, best viewed via a browser, include statistics on the virus and encourage the recipient to view an attached file, MY-HEALTH.PDF, in order to view the “the simplest and fastest ways” to take of one’s health while ensuring the well-being of others, BleepingComputer reports. The reader is also falsely instructed to reach out to an attacker-controlled email address to supposedly contact the “Corona-virus Disease Grants/Donation board for a grant or donation application.”

Upon infection, GuLoader reportedly downloads and decrypts an encrypted version of Formbook from Google Drive, and then injects it into the Windows process wininit. Formbook is capable of copying clipboard contests, keylogging, extracting data from HTTP sessions, and executing commands given by a command-and-control server. Such functionality can allow attackers to steal banking and website login credentials and cookies, the report continues.

In related news today, Tatyana Shcherbakova, senior web content analyst at Kaspersky, reported another email-based WHO impersonation scam -- one that purports to offer an attached document containing safety measures for preventing infection. Clicking on the button at the end of the email redirects users to a phishing website where they will be asked to input personal information.

In emailed comments, Shcherbakova said that the scam is indicative of "how cybercriminals recognize and are capitalizing on the important role WHO has in providing trustworthy information about the coronavirus," adding that the email campaign, which includes the WHO logo, "looks more realistic than other examples we have seen lately..."

Late last week, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance warning citizens to beware of coronavirus scams.

“Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes,” the advisory states. “Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.”

CISA recommends that users avoid interaction with links and email attachments in unsolicited emails; rely on only trusted, official sources for their COVID-19 information, avoid sharing personal and financial information in emails; and ensure that a charity is legitimate before donating.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.